User17347302773899300877 (Customer) asked a question.
Does Okta support of Okta issued SAML2 assertions to OAuth access_token?
I am trying to do it and getting error:
400 Bad Request
Token exchange failed: Bad Request - {"error":"invalid_request","error_description":"'requested_token_type' is invalid or not supported."}
Token exchange is already setup and tested on exchanging OAuth access_token from trusted Auth. server to token of another Auth.server.
SAML 2.0 Assertion and Token Exchange grant types are enabled in the Auth.server referenced by Token Exchange request (target Auth.server).
The request is authorized by Basic with client_id and client_secret.
I use custom scope "obo", which previously worked for OAuth to OAuth token exchange.
Here is the request body to the target Auth. server:
grant_type=urn:ietf:params:oauth:grant-type:token-exchange
&subject_token_type=urn:ietf:params:oauth:token-type:saml2
&subject_token=<url-decoded Okta SAML assertion, not expired>
&requested_token_type=urn:ietf:params:oauth:token-type:access_token
&scope=obo&audience=<url-decoded target Auth. server audience>
I also tried to remove requested_token_type parameter, or request saml2 token instead of access_token using:
&requested_token_type=urn:ietf:params:oauth:token-type:saml2
and it also does not work.
What is done wrong?
Hi @User17347302773899300877 (Customer) , Thank you for reaching out to the Okta Community!
This question is more appropriate for our dedicated Okta Developer Forum.
My advice would be to reach out via devforum.okta.com to take advantage of their expertise.
While we'll do our best to answer all of your questions here, this medium is more inclined towards Okta core products and features (non-custom/developer work).
In the meantime, this older post from the devforum might help with this.
Regards.
--
Help others in the community by liking or hitting Select as Best if this response helped you.